ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Users Ultra Plugin <= 1.5.15 - Multiple SQL Injection

Product
Users Ultra
Description
Multiple SQL injection vulnerabilities allow the attackers to execute arbitrary SQL commands via 2 parameters: "data_target" or "data_vote" in a rating_vote (wp_ajax_nopriv_rating_vote) action to wp-admin/admin-ajax.php.
Solution
Update the plugin.
Classification
Type SQL Injection
OWASP Top 10 A1: Injection
References
CVE Mitre
CVE
Name CVE-2015-4109
Versions
Affected In <= 1.5.15
Fixed In 1.5.16
Disclosure date
2015-05-28
Credits
Panagiotis Vagenas